[virglrenderer-devel] [PATCH] vrend: fix a stack overflow in set framebuffer state
Li Qiang
liq3ea at gmail.com
Tue Dec 27 02:24:08 UTC 2016
Add the sanity check of the 'nr_cbufs' to avoid stack
overflow.
Signed-off-by: Li Qiang <liq3ea at gmail.com>
---
src/vrend_decode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/vrend_decode.c b/src/vrend_decode.c
index ede7280..09f08ae 100644
--- a/src/vrend_decode.c
+++ b/src/vrend_decode.c
@@ -136,6 +136,10 @@ static int vrend_decode_set_framebuffer_state(struct vrend_decode_ctx *ctx, int
if (length != (2 + nr_cbufs))
return EINVAL;
+
+ if (nr_cbufs > 8)
+ return EINVAL;
+
for (i = 0; i < nr_cbufs; i++)
surf_handle[i] = get_buf_entry(ctx, VIRGL_SET_FRAMEBUFFER_STATE_CBUF_HANDLE(i));
vrend_set_framebuffer_state(ctx->grctx, nr_cbufs, surf_handle, zsurf_handle);
--
2.7.4
More information about the virglrenderer-devel
mailing list